Social media security

Working remotely and from home places additional challenges on social media security. These pages set out the University of Sheffield’s guidance for keeping social media secure in 2020, broken down into five steps.

Use multi-factor authentication to protect your accounts

MFA or ‘multi-factor authentication’, reduces the risk of your social media accounts being hacked by adding additional security checks when you login. These could include a code sent to your mobile phone, use of an authenticator app or a physical device you take with you. Alongside a strong password, MFA can make it substantially more difficult for hackers to take control of your accounts.

The University of Sheffield recommends use of MFA on all social media accounts. This includes (but is not limited to) department and institution accounts.

To note, MFA is distinct from two-factor authentication. As the name suggests, two-factor authentication utilises two security checks. MFA can involve more than two checks and is comparatively more secure as a result.

The MFA options used by major social media companies break down into two categories - phone based and non-phone based.

If you decide to use a phone based solution, make sure your phone access is secure. That means a difficult to guess passcode or pin and ideally a biometric security process such as facial or fingerprint recognition. Also make sure your phone’s system software is up to date to ensure you’re patched against the latest security threats.

Phone based MFA solutions are generally provided via either SMS message or app. One time codes involve sending a text SMS message to your phone which you input into the login screen of your social media account. There have been instances of codes being intercepted and they’re not a good option if you’re in a location with poor cellular access.

Authenticator apps require more setup but have less vulnerabilities. Setting up usually involves scanning a QR code with your mobile phone. This adds the account to your app. Once connected you’ll be asked to enter a code from your authenticator app every time you login to your social media account.

The process for setting up MFA is different for each social media platform and provision is subject to change.

  • Twitter
  • Instagram
  • Facebook. In addition, Facebook Business Manager, which provides a single workspace for managing work-based Facebook pages and assigning Facebook users roles within, has its own authentication proposition.
  • LinkedIn
  • YouTube provision is provided via parent company Google.

LinkedIn, Facebook and YouTube are slightly different in that access isn't controlled by a single user name and password and is managed by giving named people admin access.

The links above have been identified as providing the best signposted guidance for staff at time of writing. If you experience any broken links please contact us.

Level-up your passwords with a password manager

Don’t write your passwords down. Don’t put them on a sticky note on your laptop or in a text file on your desktop. Some web browsers will offer to remember and autocomplete passwords for you, which is convenient but can be a risk if your device is lost or stolen. Google Chrome includes Password Checkup, which analyses your saved passwords and lets you know which are weak.

As a minimum, ensure the passwords you create and memorise for professional accounts are unique and difficult to guess. Or use a password manager to do this for you.

Password Managers store and remember all your passwords for you so you only have to remember a single password. They can also generate passwords based on variables you select, such as number of characters. And if your social media accounts have multiple backend users, they can provide secure sharing, for a price.

There's more on strong passwords and password managers on the IT Services’ Information Services pages.

Stop oversharing

‘Shares’ are one of the main currencies of social media activity but it’s easy to give away information or data that could be used to compromise you and your work. So check your practice with a few simple behaviours.

  • Avoid posting personal information that others could use to impersonate you.
  • Check the veracity of news stories before sharing them round. A quick web search on the headline or pasting a line of text can often confirm whether you’re passing on useful info or propagating a hoax.
  • Watch out for ‘Facebook challenges’ that ask you for personal information which could be used to gain access to your account.
  • Livestreaming on Facebook or Instagram? Check that you’re not giving away personal information on screen.

More formally, review your Privacy Settings on a platform by platform basis to plug security gaps. Starting with Facebook, whose granularity on privacy settings can be daunting. Their Privacy Checkup tool breaks these down into a few key areas - such as ‘who can see what you share’ - and is a good place to start.

Remote working can mean more time online so be alert to falling for fake password reset or security alert emails that you’d normally spot as fraudulent. Especially if they ask you to pass on passwords or personal information.

Be location aware

Geotagging is still a part of Facebook and Twitter’s proposition at time of writing. Although it can be handy to share where you are, be wary of revealing information about your location that could be used maliciously. Especially if you’re working remotely.

On Facebook, avoid ‘checking in’, which tags photographs you post with location information. And review your phone’s photo settings to make sure geolocation information isn’t being captured as part of metadata when you take a picture.

Twitter removed geotag functionality for posts in 2019, although it is still possible to tag photographs. We recommend avoiding this functionality.

Run your own social media security audit

Old, out of date phone and browser apps can be more easily hacked. Review your third party apps and delete those that aren’t interested in staying updated to the latest operating software.

Set up automatic updates for apps and phone, tablet, laptop and desktop software.